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Abstract 

Modern aircraft rely heavily on dependable opera- 
tion of many safety-critical software components. 
Despite careful design, verification and validation 
(V&V), on-board software can fail with disastrous 
consequences if it encounters problematic software/ 
hardware interaction or must operate in an unexpec- 
ted environment. 

We are using a Bayesian approach to monitor the 
software and its behavior during operation and pro- 
vide up-to-date information about the health of the 
software and its components. The powerful reas- 
oning mechanism provided by our model-based 
Bayesian approach makes reliable diagnosis of the 
root causes possible and minimizes the number of 
false alarms. Compilation of the Bayesian model 
into compact arithmetic circuits makes SWHM 
feasible even on platforms with limited CPU power. 
We show initial results of SWHM on a small simula- 
tor of an embedded aircraft software system, where 
software and sensor faults can be injected. 
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Software Can Fail 

Despite careful SW development and 
V&V, safety-critical SW can fail. 

F-22 Raptors crossing 
SW bug caused loss 
of navigation and 
communication 

Harrier Autolander: 

buggy radar-altimeter 
integration caused 
near-crash during 
landing (NASA) 


the date-line: 




SPIRIT: overfull on-board file system 


caused reboot-loop 
after landing 


Ariane-V: SW reused 
from Ariane IV caused 
overflow and 
destruction of rocket 


Software Health Management monitors 
the system and software during 
operation to 

• realiably detect faults 

• diagnose most likely root cause(s) 
while minimizing the number of false 
alarms and missed adverse events 
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A Bayesian ISWHM 

We are using Bayesian networks (BN) 
to construct a model of the software 
and its behavior in nominal and failure 
cases. BNs can be used to 

• detect failure(s), and to 

• perform detailed reasoning on the 
root cause of the problem 
Example: low oil pressure and 
vibration indicates a likely problem with 
a bearing. 


ISWHM Demonstration System 

For demonstration, we developed a 
small embedded system/SW simulator, 
where faults can be easy injected 

• Plant model: open NASA F-16 model 

• Operating System: OSEK (simple 
real-time OS widely used in automotive 
industry) simulator to show suitability 
for small systems (UAV) 

• simple GN&C with failure injection 

• IVHM task uses arithmetic circuits 



Modeling for ISWHM 

ISWHM models are constructed from 
(software) sensor nodes, unobservable 
status nodes, and health nodes. Low 
posteriors of health nodes indicate 
problems and poor SW health. 




OSEK tasks for ISWHM demonstrator 


Results for Example Scenario 

Writes to almost full on-board file 
system can cause delays in the control 
loop (if “badly” implemented), which 
can result in aircraft oscillations similar 
to dangerous PIO (pilot induced osc.). 
ISWHM can detect situation ( — ►). 



ISWHM: SW health drops indicating problem in SW 


Bayesian ISWHM submodel 
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